DRM

Ick! Enter the era of "secure boot" where the lure of getting the "Windows 8 approved" sticker means hardware manufacturers will hand the keys over to Microsoft. As Peter da Silva says: "Belgium. Belgium, Belgium, Belgium."

Pretty good article describing How FairPlay Works (Apple's DRM scheme for iTunes/iTMS/iPod): I didn't realize that AAC itself (without the DRM) isn't an Apple creation, but an open standard by the same consortium that created MP3

Voting

Jon Stokes at Ars Technica has written an article entitled "How To Steal an Election". The PDF file is available here. (It's copyrighted, but permission is granted to distribute it if you link to the original article and PDF, as I've done here.) The rush to implement touchscreen voting with no paper trail as a backup is extremely worrisome; how long before we have a successful fraud that tips the balance of an election?

Best Practices

Great analysis of PIN frequency — take-aways: (1) don't start your PIN with "19" or "20" (4-digit year), (2) don't start your PIN with "0" or "1" (most common), and (3) use big gaps between digits (prefer "38" to "45") — of course, best is to use a PIN bigger than 4 digits, if you can

Fraud

$45,000 stolen in phone porting scam: The thieves tricked this man's daughter into revealing his mobile phone number, had the phone "ported" to a new provider so they could control it, and were then able to satisfy two-factor protections and drain money from the man's account

Every vulnerability these days has to also break out of whatever sandbox it's in to be useful. I keep seeing "and then we bypass protected mode" in vulnerability write-ups, and it leaves me with the impression that protected mode isn't that hard to evade. Apparently protected mode isn't very tight:

Bekrar said his team has found “many vulnerabilities in Protected Mode” that are all unpatched. ”We used a memory corruption vulnerability in the way Protected Mode is implemented but we have found many more vulnerabilities there.”

Yikes: Slowloris, a recent implementation of an attack method described in 2005 and 2007 — a relatively low-bandwidth way to hamstring an HTTP server using partial HTTP requests — apparently, though, iptables can be used to defend against this by closing connections that are being held open too long

Evilgrade highlights the vulnerabilities that result when software vendors don't securely sign their software updates — you can trick an app that listens for updates into downloading and installing something malicious

The Firesheep Firefox extension demonstrates the flaw in a pervasive security model: Even if the initial login+password to a web site is encrypted with SSL, if the rest of the site is not encrypted, sniffers (e.g. on a public WiFi hotspot) can grab your session cookie and then do anything as you. Encryption of the whole site via SSL is the only solution to this problem. Or see Idiocy for another way to highlight the issue. :-)

How to Hack Millions of Routers: a security consultant has brought together several long-standing vulnerabilities, including DNS rebinding, to produce a technique that gives access to the local networks behind Internet routers (DSL modems, including DD-WRT, etc.)

Feb 2009: SSLstrip: A devious little man-in-the-middle tool that changes all https: links to http:, adds a padlock symbol as the favicon, and uses a lookalike character for "/" to make the front part of the URL look like the right server — combined with arpspoof, allows interception of all sensitive traffic on the local network — Forbes article

Pilosov and Kapela publicize a BGP rerouting method (more) (it isn't really even an "attack" since this is the way BGP is designed to work) which allows someone to intercept (and eavesdrop on) traffic bound for a certain IP range. Mudge from L0pht had already pointed this out a decade ago.

Steven J. Vaughan-Nichols says in his article How CAPTCHA Got Trashed that CAPTCHA isn't a viable solution any more. One of his contributors said "harder CAPTCHA solutions mean harder problems for people as well" which I think is the key point — we've reached the "crossover point" where CAPTCHAs that are sufficiently hard to break are harder to use than users will tolerate. (And that doesn't even cover solutions that use humans to break the CAPTCHA for you...)

Current research on breaking CAPTCHA: Preventing segmentation (breaking the CAPTCHA word up into individual characters) is very important to making it resist attacks (apparently OCR'ing individual letters, however distorted, is not too hard). Microsoft's CAPTCHA algorithm apparently allows segmentation too easily.

Insidious automated ARP cache poisoning/HTML injection attack: a machine sits on the network, and poisons the ARP cache for clients on that network to make them think its NIC is the default gateway; acting as a man-in-the-middle, it rewrites HTTP sessions to insert a hostile 0-size <iframe>; client web surfing to any site can now include code for anything the browser is vulnerable to

Dan Kaminsky continues to astound; his work in 2007 includes circumventing the browser's trust model using a combination of DNS entries, a custom TCP/IP stack written in Flash, etc. — now you have a "beachhead" behind the firewall/within the intranet to send whatever exploits you want

"Inter-protocol Exploitation" technique: (1) Establish a control channel between a browser's JavaScript engine and an outside controller, so that JS commands can be passed to it, and then (2) have the JavaScript engine assemble protocol frames to attempt exploits from within the network; optionally (3) combine with XSS for an even more dangerous combination

"Drive-By Pharming" (or Cross-Site Request Forgery, CSRF): JavaScript on a web page that attempts to log into routers and other local network devices using default passwords, and then alters DNS settings to point to a poisoned DNS server

Why Phishing Works ("To summarize the summary of the summary: people are a problem." — Douglas Adams)

Mac OS X

Fuzzing is still a useful technique, all these years later — and it's clear vendors aren't doing it themselves. Charlie Miller (past winner of Pwn2Own) has found 20 hackable flaws in Mac OS X Preview.app through a simple fuzzing technique. “"It's shocking that Apple didn't do this first," Miller told us in an interview. [...] "Microsoft, Apple, and Adobe all have huge security teams, and I'm one guy working out of my house," he says. "I shouldn't be able to find bugs like these, ever."”

Mobile

The only significant concern I have, personally, in the Carrier IQ scandal
is the issue of keystroke capturing — because I use KeePass to store
all my passwords on my phone. Carrier IQ vehemently denied that they track
keystrokes, whereas the original and subsequent research says they do.
What's the deal?
This article
sheds some light on the disconnect; Carrier IQ says in "some Carrier
IQ implementations" (remember that each cell provider can customize
their bloatware implementation), "keystroke data is being recorded in
the log file, but that the data isn't sent back to Carrier IQ and the
operators' database". Well, not intentionally transmitted anyway;
but other apps presumably can sneak access to the data, and who knows
whether an oversight might result in that data getting slung upstream
unintentionally?

Joanna Rutkowska's "Evil Maid Attack" — use a USB boot device to install a rogue boot loader, then capture your passwords etc. the next time you power it up. The moral, as always, is that when they get physical access, all bets are off.

Small is beautiful:
UK mobile application developer Masabi
has launched EncryptME,
a Java ME security component with officially validated implementations
of 4096-bit RSA and 256-bit AES... in only 3K! "Using a single
SMS message, or a few bytes of GPRS data, EncryptME can set up a
secure session and sign up a new user, a new credit card, and make
a transaction." Nicely done.

Hardware

Malicious people could potentially set your HP printer on fire by feeding it a destructive firmware update — Stuxnet proves that keeping your printer in a secure VLAN isn't sufficient protection against this kind of attack — what other devices will be vulnerable to attacks like this in the future?

Description of one thief's use of gift card cloning; clever way to get around "must be activated at register", and completely defeats long-random-token — via Schneier: article comments have some effective countermeasures (e.g. verifying the last 4 of the printed (visible) card number matches the magstripe), and a list of insider (staff) vulnerabilities

Windows

Multicore CPUs Move Attack from Theoretical to Practical: using a timing attack (race condition) to trick the Windows kernel into executing an SSDT (kernel) call with malicious parameters — this attack was known way back in 1996 (vs. Unix), but was almost impossible to exploit on single-core systems; modern multi-core systems make it much easier

Wow; a privilege escalation vulnerability that affects all versions of Windows clear back to Windows NT 3.1 — this leverages a bug in the legacy code that supports 16-bit applications — this is one serious drawback to the "backward compatibility forever" approach, your code base only grows, and you retain vulnerabilities from the dawn of time

Brian Krebs at the Washington Post did an analysis of
how long it takes Microsoft to release patches for "critical" vulnerabilities
and the results are interesting. In cases where there's no full disclosure, despite their "Trustworthy Computing" initiative, their time to release "critical" patches has actually risen to an average of 134.5 days (over 4 months). Microsoft steadfastly maintains that the reason for this long time is testing — quality control of the patch to ensure the public trusts Microsoft patches and is willing to install them (which I think is telling in itself). But when there's full disclosure and publication of a working exploit, he says:

one area where Microsoft appears to be fixing problems more quickly is when the company learns of security holes in its products at the same time as everyone else. Advocates of this controversial "full disclosure" approach believe companies tend to fix security flaws more quickly when their dirty laundry is aired for all the world to see [...] In cases where Microsoft learned of a flaw in its products through full disclosure, the company has indeed gotten speedier. In 2003, it took an average of 71 days to release a fix for one of these flaws. In 2004 that time frame decreased to 55 days, and in 2005 shrank further to 46 days.

"[Dan] Geer's graph shows that Microsoft increased its time-to-patch gap by a little more than one day per month from the start of 2003 to the end of 2005."

Sanitizing MS Word documents (removing hidden data)

Research reveals that even "sanitized" anonymous data is easy to correlate to real people. "Using public anonymous data from the 1990 census [...] 87 percent of the population in the United States [...] could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth." "It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people."

Schneier
writes
about "identity theft" which he points out is a misnomer (identity is not
"stolen"; the issue is fraudulent use of identification info.). There
are two parts to these crimes: obtaining private data that can be used
to impersonate, and using that data to conduct fraudulent transactions.
Solutions that only focus on the first are insufficient.

IBM's
rebuttal (PDF)
to criticisms about TCPA. In short: TCPA might be used with Palladium
and/or DRM, but those are separate elements requiring separate critique.
TCPA is basically a "smart card built into the computer" and with ties
to the BIOS. Cf. also the classic
Ross Anderson FAQ on TCPA.

HD Moore (Metasploit) points out that in the current climate,
"There is no way to report a vulnerability safely"
(Robert Lemos article). This is a bad trend. Security researchers
(including students) who act responsibly in good faith should be
rewarded for reporting vulnerabilities, not prosecuted for it! Pascal
Meunier at Purdue (CERIAS) describes
his recent experience
with this problem.

Pinch My Ride (Wired):
Insurance companies often believe modern auto "passive antitheft
systems" are infalliable, and deny theft claims since the car is
"impossible" to steal. Worse: Some Honda models apparently have a back
door (pulling the emergency brake, of all things) coded to your VIN.

Lockpicking used to be a relatively rare skill, but the Internet has
spread this knowledge out to a lot more people. Not long ago, someone
developed a technique for producing a master key, given a few normal
keys (think college dorm). Now we have
Sneakey:
a new technique that can use a digital picture of a set of keys to
reverse-engineer them.

Malware has evolved to the point where we can talk about it in terms
of an "industry" that has "products and services" and a "business
model":
Malware as a Service (MaaS)

Interesting point about mobile malware and sandboxing: restricting all applications in sandboxes or in user-only mode, means that security software is also so restricted — and therefore, malware which takes advantage of vulnerabilities to root the mobile device can do more than the security software can

The Stuxnet worm, which appears to be written specifically to target SCADA systems, uses multiple Windows vulnerabilities (some 0-day). "These guys are absolutely top of the line in terms of sophistication." NYT article and Fox News article with more specifics; this is an amazingly targeted attack. It has now been revealed that Stuxnet was created by the U.S. and Israel; it wasn't supposed to leave the Iranian facility but it escaped.

ARP spoofing + JavaScript insertion — one compromised host on your net can insert itself between all hosts and the router, and then inject JavaScript malware into every web page received by every browser — use arpwatch to detect

Joe Stewart (one of my favorite analysts) produced the Conficker Eye Chart which will reveal a Conficker infection on the browsing machine, since Conficker blocks HTTP connections to certain anti-malware sites

Amusingly, Conficker can spread via USB drives, which takes us back to the pre-Internet era when malware spread via floppy disks. :-) Microsoft has now released an update to disable AutoPlay for USB drives (must manually download it on older Windows versions)

Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of those responsible.

Oct 2008, a new malware technique "return-oriented programming" which evades defenses like W^X and signed (trusted) code. Very clever stuff.

Oct 2008, a new TCP threat "Sockstress" is starting to be discussed; apparently it's a flaw in the TCP state table implementation of a whole lot of vendors, which can lead to DoS; could be quite a widespread issue.

New virus Kraken which uses dynamic DNS; not only can that redirect to new IPs when the old ones are shut down, but Kraken has an algorithm for switching to a new dynamic DNS hostname when the old one is shut down.

Since new vulnerabilities are always coming along, 0wned computers
may get swiped by a new 0wner at any time. "The bot network industry
has become so profitable, and hijacked computers so valuable, that
rival gangs are now fighting over them."

Excellent set of articles describing the history of the spam arms race, and
in particular how viruses (beginning with Sobig) have added a new dimension.

Oct 18, 2006: SpamThru Trojan Analysis by Joe Stewart (SecureWorks) is a great analysis of the latest trojan-as-spam-vector technology (and a followup: SpamThru Statistics) — I have been getting lots of this GIF-attachment spam for some time now, and this explains why

ID and Privacy

Marketers are using every trick they can to tag your browser with a unique ID that will track you across all their sites. The latest is using HTML5's client-side database storage to add an ID — mysteriously, even if this storage element is removed, it is re-added by the server with the same ID. This is on the heels of some marketers who use Flash cookies, which are separate from regular browser cookies and are not removed by the browser's "clear cookies" function — the Flash cookie is used to re-created the traditional cookie after it's been removed. And now we have an even more advanced form of this: evercookie, a JavaScript API which uses no less than eight forms of cookie storage (HTML cookies, Flash cookies, cached PNGs, web history, and HTML 5 local storage). Here is a summary and ways to kill the evercookie.

GAO investigates flaws in passport issuance: "No credential can be more secure than its breeder documents and issuance procedures" (Schneier): If you can get a passport using forged documents, then all the high-tech anti-passport-forgery technology isn't going to help.
Real ID still lumbers on (including follow-on PASS ID), with 36 states not in compliance by the December 31, 2009 deadline.